The EBA’s Final Travel Rule Guidelines: What CASPs Need to Know - July 2024
The European Banking Authority (EBA) has issued new Travel Rule Guidelines to enhance the traceability of fund and crypto asset transfers, aiming to combat money laundering and terrorist financing. Stemming from Regulation (EU) 2023/1113, which aligns EU regulations with FATF standards, the Guidelines aim for consistent implementation across the EU, taking effect on December 30, 2024. After releasing a consultation paper in November 2023, to which Notabene responded, the EBA released the final Travel Rule Guidelines on July 4, 2024.
Relevance of the Travel Rule Guidelines: Aligning Travel Rule Supervisory Practices across the EU
The Guidelines reflect the EBA’s view on appropriate supervisory practices within the European System of Financial Supervision or how EU law should be applied in this area. Authorities should integrate these Guidelines into their practices, including adjusting their legal frameworks or supervisory processes as needed.
Key Takeaways from the EBA’s Final Travel Rule Guidelines - July 2024
Key Takeaways from the EBA’s Final Travel Rule Guidelines - July 2024
1. Flexibility in Originator Information
The final version of the Travel Rule guidelines clarifies that CASPs have the discretion to determine which “alternative information items” about the originator customer to transmit and demand receiving, as long as they achieve unambiguous identification and support sanction screening. This approach is intended to be better suited for cross-border transfers. [1]
2. Eased Requirements for Self-Hosted Wallet Transfers Below €1,000
- Consultation Paper: The EBA’s consultation paper required that CASPs “use suitable technical means to cross-match data, including blockchain analytics and third-party data providers, for the purpose of identifying or verifying the identity of the originator or the beneficiary.” [2]
- Final Guidelines: Now, only information collection obligations apply for self-hosted wallet transfers below 1,000, eliminating the need for technical means like blockchain analytics to cross-match collected data to identify and verify the originator or beneficiary. [3]
In response to the public consultation, Notabene argued that this requirement was disproportionate and technically unfeasible to implement. The framework initially proposed was stricter than the one set out in the Transfer of Funds Regulation (TFR), creating disproportionate obligations on small transactions. Additionally, Notabene argued that verifying identities through blockchain analytics is impractical, as these providers lack the capability to link personal identities with wallet addresses. We are pleased that the EBA adopted our suggestion, and this adjustment will make compliance more feasible for smaller transactions.
3. Simplified Verification for 1st-Party Self-Hosted Wallet Transfers ≥ €1,000
- Consultation Paper: The draft guidelines initially required CASPs to use two methods for wallet ownership verification. [4]
- Final Guidelines: The requirement to use two methods for wallet ownership verification has been removed. CASPs are now required to use only one method by default for verifying wallet ownership/control. [5]
In our consultation response, we successfully argued that requiring two methods for verifying wallet ownership/control may not enhance the verification process and could force the adoption of potentially inefficient practices. In the final version of the guidelines, CASPs are required to use only one method by default.
Notabene’s product suite includes a pop-up user interface designed to identify and verify Travel Rule counterparties at the point of transaction without impeding the transaction flow. SafeConnect obtains proof of self-hosted wallet (SHW) ownership through cryptographic signatures, one of the methods explicitly permitted in the guidelines.
{{european1="/cta-components"}}
4. Clarification for 3rd-Party Self-Hosted Wallet Transfers Above €1,000
While the TFR does not specify the requirements for third-party self-hosted wallet transfers above €1,000, the Travel Rule Guidelines clarify that if the SHW is owned or controlled by a third party who is not a customer of the CASP, the requirements outlined in Article 19a(1)/(a) of Directive (EU) 2015/849 (AMLD) apply. [6]
According to this provision, CASPs must evaluate the risks associated with transfers to or from self-hosted wallets. Additionally, CASPs are required to implement risk mitigation measures commensurate with the identified risks. These measures may include:
- Verifying the identity of the transfer's originator or beneficiary;
- Requesting additional information regarding the origin and destination of the transfer;
- Implementing enhanced ongoing monitoring of the transactions.
Therefore, CASPs should adopt a risk-based approach to transactions involving self-hosted wallets and implement any necessary risk mitigation measures proportional to the identified risks.
5. Full Compliance from December 30, 2024, is Mandatory
Travel Rule obligations apply to crypto asset service providers (CASPs) starting December 30, 2024. The EBA states: “From December 30 2024, CASPs as defined in MiCAR will be subject to the EU’s AML/CFT regime and, therefore, these Guidelines,” emphasizing that “non-compliance with Regulation (EU) 2023/1113 is not accepted.” [7]
CASPs may use infrastructures or services with technical limitations until July 31, 2025, provided they fully compensate with additional technical steps to comply with these Guidelines. Full compliance is still mandatory. [8]
6. The EBA Provides Criteria to Evaluate Travel Rule Solutions
When choosing the messaging or payment and settlement system(s), CASPs and ICASPs should
take proportionate, risk-sensitive measures to assess: [9]
- Seamless Integration: The system’s ability to communicate with other internal core systems and with the messaging or payment and settlement systems of the counterparty of a transfer and its compatibility with other blockchain networks
Notabene’s open network approach and integrations with top blockchain analytics, custodians, and sanction screening providers guarantee this connectivity. Additionally, Notabene’s SafeGateway builds secure clients for each Travel Rule messaging protocol, significantly expanding our users' connectivity and enabling them to engage with VASPs on previously inaccessible protocols.
- The reachability of the protocol (i.e., the diversity and accuracy of counterparties that can be reached using the protocol – subject to the CASP's own due diligence assessment – and the rate of transfers that would successfully be sent to the intended beneficiary or received from the originator);
Notabene’s robust network ensures high transaction success rates.
- How the system enable the CASP or ICASP to detect a transfer with missing or incomplete information;
Notabene’s SafeTransact excels here, automatically identifying deposits lacking Travel Rule information and promptly requesting the necessary details from the originator VASP.
The EBA’s final Travel Rule Guidelines mark a significant step in enhancing the traceability of fund and crypto asset transfers across the EU. With full compliance required by December 30, 2024, CASPs must prepare to meet these new requirements. Notabene’s solutions are designed to help CASPs navigate these changes efficiently, ensuring compliance while maintaining smooth transaction flows.
{{european2="/cta-components"}}
[1] European Banking Authority. Guidelines on information requirements in relation to transfers of funds and certain crypto-assets transfers under Regulation (EU) 2023/1113 (‘Travel Rule Guidelines’). Para. 39
[2] European Banking Authority. (2023). Consultation Paper on the Draft Guidelines on Preventing the Abuse of Funds and Certain Crypto-Assets Transfers for Money Laundering and Terrorist Financing Purposes under Regulation (EU) 2023/1113 (‘Consultation paper on draft Travel Rule Guidelines’). EBA/CP/2023/35. November 24, 2023, para 67a
[3] Travel Rule Guidelines, para 80
[4] Consultation paper on draft Travel Rule Guidelines, para 69
[5] Travel Rule Guidelines, para 83d
[6] This Directive (commonly known as AMLD4) was in part replaced by Regulation 2024/1624 (commonly known as AMLR). Article 19a of the AMLD4 was incorporated into the AMLR through Article 40.
[7] Travel Rule Guidelines, page 51
[8] Travel Rule Guidelines, page 6, para. B
[9] Travel Rule Guidelines, para 26a